d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netmap: Fix integer overflow in nmreq_copyin

Browse Source 
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro
Zero Day Initiative
Security: CVE-2022-23085
This commit is contained in:
Vincenzo Maffione 2022-03-16 06:57:54 +00:00
parent adbf7727b3
commit 694ea59c70
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/dev/netmap/netmap.c
View File

@ -3362,7 +3362,7 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size)
int
nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
{
size_t rqsz, optsz, bufsz;
size_t rqsz, optsz, bufsz, optbodysz;
int error = 0;
char *ker = NULL, *p;
struct nmreq_option **next, *src, **opt_tab;
@ -3410,8 +3410,18 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
error = copyin(src, &buf, sizeof(*src));
if (error)
goto out_err;
/* Validate nro_size to avoid integer overflow of optsz and bufsz. */
if (buf.nro_size > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;
}
optsz += sizeof(*src);
optsz += nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
if (optbodysz > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;
}
optsz += optbodysz;
if (rqsz + optsz > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;